我的端口有点问题 NAT似乎工作正常,一个端口转发似乎工作(udp端口7887到机器192.168.1.100)。 但不是其他人。
我怀疑这个问题,但是eth1和eth2位于双端口网卡上。
WAN互联网访问提供了dhcp,所以如果可能的话,解决scheme应该是WAN_IP独立的。
/opt/firewall.sh
#!/bin/sh WAN="eth1" LAN="eth2" #ifconfig $LAN up #ifconfig $LAN 192.168.1.1 netmask 255.255.255.0 echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $LAN -j ACCEPT iptables -A OUTPUT -o $WAN -j ACCEPT iptables -A OUTPUT -o $LAN -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # Allow ICMP echo reply/destination unreachable/time exceeded. iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT # SSH iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT # WWW iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT # TOR iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT # I2P iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100 iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 1047K packets, 80M bytes) pkts bytes target prot opt in out source destination 5 232 DNAT tcp -- eth1 any anywhere anywhere multiport dports ssh to:192.168.1.250 1 60 DNAT tcp -- eth1 any anywhere anywhere tcp dpt:www to:192.168.1.99:80 0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 9001,9030 to:192.168.1.250 0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100 12166 4042K DNAT udp -- eth1 any anywhere anywhere multiport dports 7887 to:192.168.1.100 0 0 DNAT tcp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250 0 0 DNAT udp -- eth1 any anywhere anywhere multiport dports 8887 to:192.168.1.250 Chain POSTROUTING (policy ACCEPT 12313 packets, 4085K bytes) pkts bytes target prot opt in out source destination 637K 46M MASQUERADE all -- any eth1 anywhere anywhere Chain OUTPUT (policy ACCEPT 395 packets, 62752 bytes) pkts bytes target prot opt in out source destination
iptables -L -v
Chain INPUT (policy DROP 9336 packets, 846K bytes) pkts bytes target prot opt in out source destination 1 76 ACCEPT all -- lo any anywhere anywhere 467 55711 ACCEPT all -- eth2 any anywhere anywhere 64 5598 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply 18 1796 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 60586 29M ACCEPT all -- any eth2 anywhere anywhere state RELATED,ESTABLISHED 70888 126M ACCEPT all -- eth2 eth1 anywhere anywhere 0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports ssh 0 0 ACCEPT tcp -- any any anywhere 192.168.1.99 tcp dpt:www state NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 9001,9030 0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887 646 310K ACCEPT udp -- eth1 eth2 anywhere 192.168.1.100 multiport dports 7887 0 0 ACCEPT tcp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887 0 0 ACCEPT udp -- eth1 eth2 anywhere 192.168.1.250 multiport dports 8887 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 157 13421 ACCEPT all -- any lo anywhere anywhere 76 9678 ACCEPT all -- any eth1 anywhere anywhere 159 26706 ACCEPT all -- any eth2 anywhere anywhere
访问testing:
me@external-host $ ssh WAN_IP ssh: connect to host WAN_IP port 22: Connection timed out me@external-host $ wget WAN_IP --2012-05-06 15:46:50-- http://WAN_IP/ Connecting to |WAN_IP|:80... failed: Connection timed out.
访问testing日志:
May 8 21:04:18 router kernel: [11692.837693] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=35931 DF PROTO=TCP SPT=52319 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:19 router kernel: [11693.837174] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=24784 DF PROTO=TCP SPT=52320 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:20 router kernel: [11694.835943] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57280 DF PROTO=TCP SPT=52321 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:21 router kernel: [11695.835159] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=10721 DF PROTO=TCP SPT=52322 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:22 router kernel: [11696.833763] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19002 DF PROTO=TCP SPT=52323 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:23 router kernel: [11697.832960] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=17468 DF PROTO=TCP SPT=52324 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:24 router kernel: [11698.831733] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=32834 DF PROTO=TCP SPT=52325 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:25 router kernel: [11699.830620] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=28252 DF PROTO=TCP SPT=52326 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:26 router kernel: [11700.829493] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=43537 DF PROTO=TCP SPT=52327 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0 May 8 21:04:27 router kernel: [11701.829118] FOWARD: IN=eth1 OUT=eth2 SRC=130.235.35.233 DST=192.168.1.99 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55720 DF PROTO=TCP SPT=52328 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
事实certificate,一个内部机器已经closures,而且我的WAN_IP已经改变了(由于dhcp)。
在我的故障排除期间,我加强了脚本的function,而且现在function完整,不会太过于花哨。 随意图抄!
/opt/firewall.sh
#!/bin/sh WAN="eth1" LAN="eth2" #ifconfig $LAN up #ifconfig $LAN 192.168.1.1 netmask 255.255.255.0 echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.ip_forward=1 iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # # Debug logging #iptables -I INPUT 1 --source 130.235.35.233/31 -j LOG --log-prefix "INPUT: " #iptables -I FORWARD 1 --source 130.235.35.233/31 -j LOG --log-prefix "FOWARD: " # # Default to drop packets iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # # Allow all local loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # # Allow output on $WAN and $LAN if. Allow input on $LAN if. iptables -A INPUT -i $LAN -j ACCEPT iptables -A OUTPUT -o $WAN -j ACCEPT iptables -A OUTPUT -o $LAN -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE # Allow ICMP echo reply/echo request/destination unreachable/time exceeded iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # SSH iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 22 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 22 -j ACCEPT # WWW iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 80,443 -j DNAT --to 192.168.1.99 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.99 -m multiport --dports 80,443 -j ACCEPT # TOR iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 9001,9030 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 9001,9030 -j ACCEPT # I2P iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 7887 -j DNAT --to 192.168.1.100 iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.100 -m multiport --dports 7887 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p tcp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT iptables -t nat -A PREROUTING -p udp -i $WAN -m multiport --dports 8887 -j DNAT --to 192.168.1.250 iptables -A FORWARD -p udp -i $WAN -o $LAN -d 192.168.1.250 -m multiport --dports 8887 -j ACCEPT exit 0 #report success